{ "type": "URL", "indicator": "https://softwaredatabase.xyz/UnammnrsettingsCPU.txt", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://softwaredatabase.xyz/UnammnrsettingsCPU.txt", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4291760789, "indicator": "https://softwaredatabase.xyz/UnammnrsettingsCPU.txt", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ce8e1115feef9588ff58db", "name": "Fake Installers to Monero: A Multi-Tool Mining Operation", "description": "The financially motivated operation designated REF1695, tracked by Elastic Security Labs since late 2023, employs a sophisticated range of attack techniques, including the distribution of Remote Access Trojans (RATs), cryptominers, and Cost Per Action (CPA) fraud through deceptive installer packages. This operation's consistency in technical infrastructure and social engineering tactics indicates a single actor behind multiple campaigns.", "modified": "2026-05-02T15:06:05.332000", "created": "2026-04-02T15:41:05.468000", "tags": [ "cnb bot", "campaign", "claude", "virustotal", "xmrig loader", "powershell", "purerat", "pureminer", "github", "hashrate return", "themida", "rats", "xmrig", "loader", "monero miner", "miner", "false", "purecrypter", "beyond", "payload", "download", "easy", "silentcryptominer", "ui" ], "references": [ "https://www.elastic.co/security-labs/fake-installers-to-monero" ], "public": 1, "adversary": "REF1695", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 21, "URL": 23, "domain": 12, "hostname": 8 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4b5af3643099082163175", "name": "agdnjghnjsdf", "description": "The full list of people who have signed up to use the Winautordr website for the first time has been compiled by a number of websites and groups.. and their websites have been updated.", "modified": "2026-04-07T07:43:43.823000", "created": "2026-04-07T07:43:43.823000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "URL": 10, "domain": 8, "hostname": 9 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.elastic.co/security-labs/fake-installers-to-monero", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "REF1695" ], "malware_families": [], "industries": [], "unique_indicators": 1013 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/softwaredatabase.xyz", "whois": "http://whois.domaintools.com/softwaredatabase.xyz", "domain": "softwaredatabase.xyz", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ce8e1115feef9588ff58db", "name": "Fake Installers to Monero: A Multi-Tool Mining Operation", "description": "The financially motivated operation designated REF1695, tracked by Elastic Security Labs since late 2023, employs a sophisticated range of attack techniques, including the distribution of Remote Access Trojans (RATs), cryptominers, and Cost Per Action (CPA) fraud through deceptive installer packages. This operation's consistency in technical infrastructure and social engineering tactics indicates a single actor behind multiple campaigns.", "modified": "2026-05-02T15:06:05.332000", "created": "2026-04-02T15:41:05.468000", "tags": [ "cnb bot", "campaign", "claude", "virustotal", "xmrig loader", "powershell", "purerat", "pureminer", "github", "hashrate return", "themida", "rats", "xmrig", "loader", "monero miner", "miner", "false", "purecrypter", "beyond", "payload", "download", "easy", "silentcryptominer", "ui" ], "references": [ "https://www.elastic.co/security-labs/fake-installers-to-monero" ], "public": 1, "adversary": "REF1695", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 21, "URL": 23, "domain": 12, "hostname": 8 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4b5af3643099082163175", "name": "agdnjghnjsdf", "description": "The full list of people who have signed up to use the Winautordr website for the first time has been compiled by a number of websites and groups.. and their websites have been updated.", "modified": "2026-04-07T07:43:43.823000", "created": "2026-04-07T07:43:43.823000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "URL": 10, "domain": 8, "hostname": 9 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://softwaredatabase.xyz/UnammnrsettingsCPU.txt", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://softwaredatabase.xyz/UnammnrsettingsCPU.txt", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173796.221467 }